MIFARE CONTACTLESS CARD TECHNOLOLGY

AN HID WHITE PAPER

GENERAL

The MIFARE contactless smart card and MIFARE card reader/writer were developed to
handle payment transactions for public transportation systems. Although contact smart
cards could also do the job, contactless readers are faster and easier to use, and there
is virtually no maintenance on the readers, or wear and tear on the cards.

MIFARE technology is owned by Philips Electronics. They do not make cards or readers,
but they make and sell the card and reader chips on the open market. A reader chip is
not required to read the card’s fixed random ID number, but it IS required to access any
data stored on the card. Philips has also licensed manufacture of the card chip
technology to Infineon.

Similarities between MIFARE and Proximity:

• Both are passive cards (no battery)

• Both consists of a chip and a coil antenna
• Both are available in ISO card packages, fobs, discs
• Both use RF energy to power the chip and send and receive data

Differences between MIFARE and HID Proximity:

MIFARE
1 - 4 inch read range
Uses a frequency of 13.56 MHz
1000 bytes of data storage
Holds 16 separate applications
Open standard
PROXIMITY
3 - 30 inch range
Uses 125 kHz
85 bits of data storage
Holds one application
Proprietary standard

HOW MIFARE IS USED

In fare collection systems, a MIFARE transit card is issued to a passenger, who goes to
an automated terminal and uses a credit card or cash to load value on to the card. The
value is stored in an “electronic purse” on the card, from which the appropriate fare is
subtracted every time the passenger boards a bus or train. When the stored value is
used up, the passenger goes to the automated terminal and reloads the electronic
purse.

Philips recommends the MIFARE cards for automatic fare collection, toll roads, airline
ticketing, loyalty schemes, park and ride, prepaid metering, and phone, banking, city, ID
and university cards.

Although MIFARE cards have security features, such as encrypted RF transmission,

mutual authentication, and security keys, most banks do not feel that MIFARE has
HID White Paper – MIFARE Contactless Card Technology Page 2

enough power or capability to process the type of encryption required for banking and
credit card transactions.

The MIFARE card has up to 16 separate sectors, which can be configured as purses or
for general data storage. The first sector is typically used as a directory for the rest of the
card, leaving 15 segments available for data or purses.

Up to 15 different applications can be stored on a MIFARE card, and these applications

will be separate and secure from one another by using unique keys (passwords) for
each sector. The only requirement is that the various application providers must
cooperate in the programming of the MIFARE Applications Directory (MAD), and that the
keys to this directory must be available to all application providers.

Each sector has two keys, called the A and B keys, allowing different access privileges
to that sector. These key pairs can be designated as read and read/write, or decrement
and increment/decrement. For example, this would allow turnstile readers with the A key
to only deduct value from a card sector, while ticket booth readers with the B key could
either add or subtract value.

The MIFARE card also has a 32-bit unique random number, which is permanently
encoded into each chip by the chip manufacturer (Philips or Infineon). This is
sometimes called the Card Serial Number (CSN) or Universal Identifier (UID), and can
be read by any MIFARE reader without knowing any of the secure keys used to protect
the rest of the card.

MIFARE FOR ACCESS CONTROL

While its short read range makes it less than ideal for access control, MIFARE is
becoming specified more frequently for access control applications due to its potential to
store multiple applications on one card.

At a large facility, the MIFARE card could serve as an access card, cafeteria debit card,
an ID card, a parking fee card, a library or equipment checkout card, or a vending
machine debit card. It could even store biometric templates to be verified by biometric
readers.

Some customers may already have MIFARE cards in use for other applications, and
would like to use their existing cards for access control applications. These customers
would only need to purchase readers from HID, and would program HID Access Control
data into an unused card sector, using the HID MIFARE Card Programmer. Alternately,
all or part of the 32-bit random CSN can be converted to Wiegand format and used for
access control (although most access panels cannot handle random numbers ranging
up to 4 billion).

Customers may want to purchase MIFARE cards and readers for access control
because of MIFARE’s future potential. These customers would purchase pre-
programmed cards as well as readers from HID.

Customers may be interested in HID’s dual technology card, which contains both 125
kHz HID and 13.56 MHz MIFARE chips and antennas. This card provides the longer
read range of proximity when used with 125 kHz readers, plus the added flexibility of
HID White Paper – MIFARE Contactless Card Technology Page 3

MIFARE. These customers may purchase proximity readers and dual technology cards
from HID, and may purchase the MIFARE readers either from HID, or from other
application providers.

MIFARE is very common in Europe and Asia, but it is also being specified for access
control in the US by agencies such as the US Navy.

MIFARE ACCESS CONTROL CARD PROGRAMMING

Although MIFARE cards and readers are available from many different suppliers
worldwide, HID is unique in its ability to provide readers and cards specifically configured
for access control OEMs requiring formatted Wiegand output. HID will have the
capability of programming OEM data into one of the sectors on the MIFARE cards, and
will be able to provide cards programmed with any facility code, format, and numbering
sequence currently available in 125 kHz proximity cards.

HID will also produce an HID MIFARE Card Programmer, which can program HID
formatted OEM Wiegand data into any available sector on an existing card. This
requires knowledge of the “write” keys for the existing card population.

The HID readers can find HID OEM data on the MIFARE card, and will output that data
via the Wiegand port.

HID’s capabilities can be contrasted with most other MIFARE reader suppliers who
satisfy the Wiegand requirement by taking the Philips random chip ID and converting it
to a 32 bit Wiegand output, or by cutting it down to a 26 bit Wiegand output. By basing
the output on a random number, it is impossible to provide a sequential series of
numbers, or a specified number range. Also, cutting off part of a large random number
(called truncating) creates a risk of number duplication (called aliasing).

Here is an example of aliasing caused by truncating: suppose you had three different
cards – 111234, 211234, 661234. Now suppose that in the reader software, you
truncate the number (make it smaller) by cutting off the two highest digits, producing –
1234,1234, 1234. Obviously, three different cardholders with unique cards will now be
seen by the system as the same person.

HID’s method of encoding numbers into the MIFARE memory sectors will provide the
kind of card programming that OEM’s expect without the risk of aliasing, and the
inconvenience of random numbering.

TECHNICAL DETAILS

Card Memory Structure

Each of the 16 Sectors on the MIFARE card consists of four 16-byte blocks numbered 0-
3, containing the following:

Block 0 – Data*
Block 1 – Data
Block 2 - Data
Block 3 – Sector Trailer
HID White Paper – MIFARE Contactless Card Technology Page 4

In Sector 0, Block 0 contains the card manufacturer code and 32-bit ID – as

programmed by the IC manufacturer - it can not contain any user data and
cannot be modified. This data can be read without MIFARE Keys. In all other
sectors, Block 0 may be programmed with user data.

Blocks 0 – 2 of any given sector contain whatever user data is encoded into them.
Depending on how the data is formatted, a block may be data, or it may be stored value.

Block 3, the Sector Trailer contains keys and access conditions for all four blocks
including itself. There is only one key pair for the sector, but there can be unique access
conditions for those keys in each block:

Security Key A
Access Conditions
For Block 0
For Block 1
For Block 2
For Block 3
Security Key B

Having two keys per sector enables the system manager to structure the encoding of
cards so that different people (using different readers) have different privileges with
respect to the data. For example, in a card with stored data, a reader with Key A would
be able to read Block 1, whereas a reader with Key B would be able to read and write to
Block 1. Or a reader with Key A could be denied access to Block 1, whereas a reader
with Key B could read the data. Or, in a system with stored value, a reader with Key A
could increment a value in Block 1, whereas a reader with Key B could only decrement
that same value.

Access Conditions

Access conditions for a given segment can be unique for each block 0 – 3. Access
conditions for each of the four blocks in a segment are expressed as a 3-bit binary
number (000 – 111), which allows 8 different possible ways to configure the access of
each Key Pair to each block.

Access conditions for the sector trailer can allow or prevent one or both keys and/or the
access condition table from being read or changed.

Access conditions for the data blocks can allow or prevent data from being read, written,
incremented or decremented by using one or both keys.

These access conditions are shown in the tables below (from the Philips IC
specification):
HID White Paper – MIFARE Contactless Card Technology Page 5

Value and Data Blocks

Depending on how it is encoded by the factory or the integrator, a data block can be
either a read/write block, containing 16 bytes of general data, or it can be a value block
containing 4 bytes of value data. Only value blocks can be incremented decremented,
transferred or restored.

Value Blocks consist of

4 bytes of address information
4 bytes of value data
4 bytes of the complement of the value data
4 bytes of value data repeated
The value is stored three times in a value block to allow error detection and correction
capability. A sector could contain any combination of value or data blocks in blocks 0-2.

MIFARE KEYS

MIFARE Keys are basically numeric passwords used to control access to information
stored on the MIFARE contactless card (using the Philips MF1 IC S50 chip or
HID White Paper – MIFARE Contactless Card Technology Page 6

equivalent). A MIFARE Key is a 6-byte (or 48-bit) data field, typically expressed as 12
Hex characters. The key can be any number from 000000000000 – FFFFFFFFFFFF.

MIFARE Keys are associated in pairs, with one referred to as the A Key and the other as
the B Key.

Each sector on the MIFARE card (0-15) has a key pair, which means that there are 16
key pairs on a MIFARE Card. Each key pair controls access to data in the sector in
which it is located.